Risky hospital business: happy device hacking, insider data breaches

A heap of ‘insanely easy’ hospital hacking–but no harm done: Essentia Health’s head of information security, Scott Erven, set his team to work–with management approval–on hacking practically every internal device and system over two years, and found that most were ‘insanely easy’ to hack. They successfully hacked drug infusion pumps, EHRs, Bluetooth-enabled defibrillators, surgery robots, CT scanners, networked refrigerator temperature settings and X-ray machines with potentially disastrous results. Where the common security holes are in networked equipment: lack of authentication, weak passwords, embedded web services and the list goes on. Mr Erven presented this at an industry meeting in April, without naming brands or devices as he’s still trying to fix them. Essentia Health operates about 100 facilities, including clinics, hospitals and pharmacies, in Minnesota, North Dakota, Wisconsin and Idaho–and should receive much credit for facilitating this study. This is the environment into which we will be plonking tons of patient information in PHRs and telehealth monitoring. Pass the painkillers. Summary in HealthIT Outcomes, much more essential detail in Wired worth the read.

The ‘Maybe No One Will Notice’ Data Breach: The recent incident at the University of Massachusetts Memorial Medical Center in Worcester illustrates the difficulty that even academic medical centers have with detecting data security breaches, particularly when they are small, sneaky, over time and by an insider. UMass uncovered a series of low-profile breaches by a former employee who helped himself to patient information such as name, address, date of birth and Social Security number–and may have used it to open up credit card and mobile phone accounts. Only four records appear to have been misused in this way, but at least 2,400 records were estimated to be improperly accessed–over 12 years, which made it even more difficult to find. Perhaps the employee was funding retirement? HealthcareInfoSecurity

The ‘Ambulance Chaser’ Data Breach: What better way for lawyers and shady outpatient clinics to get accident patients fresh from the ER (ED), than to have someone on the inside feeding them patient information? At New York’s Jamaica Hospital Medical Center, two registrars accessed the records of 250 patients with the usual secure data plus details on their injuries and medical treatment. Many were later contacted by said lawyers and clinics. The Queens District Attorney is now investigating whether this strange coincidence is actually cause-and-effect–whether the two defendants sold the patient information. HealthcareInfoSecurity Privacy experts concede that ‘insider’ theft–and this includes contractors, third party vendors and business associates–is extremely difficult to catch and requires human vigilance along with tech ‘snooping.’

The ‘Ask The Techie Before You Unplug It, Doc’ Data Breach: The largest HIPAA fine to date–$3.3 million–has been levied by the Department of Health and Human Services (HHS) against New York-Presbyterian Hospital and Columbia University for a 2010 breach of 6,800 records. It happened when a Columbia doctor, who had developed applications for both facilities, deactivated a personally owned server on the network holding data for NYP patients. “Lack of technical safeguards” caused the information to be accessible on Internet search engines. FierceHealthIT

Our definitions

Telehealth and Telecare Aware posts pointers to a broad range of news items. Authors of those items often use terms 'telecare' and telehealth' in inventive and idiosyncratic ways. Telecare Aware's editors can generally live with that variation. However, when we use these terms we usually mean:

• Telecare: from simple personal alarms (AKA pendant/panic/medical/social alarms, PERS, and so on) through to smart homes that focus on alerts for risk including, for example: falls; smoke; changes in daily activity patterns and 'wandering'. Telecare may also be used to confirm that someone is safe and to prompt them to take medication. The alert generates an appropriate response to the situation allowing someone to live more independently and confidently in their own home for longer.

• Telehealth: as in remote vital signs monitoring. Vital signs of patients with long term conditions are measured daily by devices at home and the data sent to a monitoring centre for response by a nurse or doctor if they fall outside predetermined norms. Telehealth has been shown to replace routine trips for check-ups; to speed interventions when health deteriorates, and to reduce stress by educating patients about their condition.

Telecare Aware's editors concentrate on what we perceive to be significant events and technological and other developments in telecare and telehealth. We make no apology for being independent and opinionated or for trying to be interesting rather than comprehensive.